Security Incident Response Language: English Collocations
Security incidents demand fast, precise communication. From containing a breach to escalating to executives and capturing lessons learned, each phase of incident response has its own vocabulary. This exercise covers the collocations used in security operations centres, incident war rooms, and post-incident reviews.
0 / 5 completed
1 / 5
The security team immediately moved to ___ the breach by isolating the affected systems from the network.
Contain the breach is the standard security incident response collocation — the first phase of incident response is containment. 'Stop' implies termination; 'limit' and 'control' are less precise in the incident management vocabulary. 'Contain' is the canonical term in frameworks like NIST and SANS.
2 / 5
The CISO asked the response team to ___ the incident to the executive team within the first two hours.
Escalate the incident is the precise security operations collocation — escalation implies invoking a higher authority or more senior response team. 'Report' and 'notify' are informational; 'communicate' is too broad. 'Escalate' is the term used in incident response playbooks for triggering executive involvement.
3 / 5
The forensics team was brought in to ___ the attack vector and determine how access was gained.
Investigate the attack vector is the natural collocation in post-breach analysis — forensics teams 'investigate' to reconstruct events and identify entry points. 'Analyse' focuses on data; 'examine' is more physical; 'assess' implies evaluation rather than discovery. 'Investigate' is the standard verb in incident reports.
4 / 5
The security team worked overnight to ___ the vulnerability by deploying an emergency patch.
Mitigate the vulnerability is the precise security collocation — mitigation reduces the risk or impact without necessarily eliminating it entirely, which is the realistic goal of emergency patching. 'Fix' and 'resolve' imply full elimination; 'address' is vaguer. 'Mitigate' is the standard term in vulnerability management.
5 / 5
After restoring systems, the team compiled an incident report to ___ lessons for future response improvements.
Capture lessons is the natural post-incident collocation — 'capturing' lessons implies collecting insights before they are forgotten. 'Document' is also widely used; 'record' and 'note' are more mechanical. 'Capture lessons' is the preferred phrasing in incident management and resilience engineering discussions.